samba - Mar 2025 - Fwd: No DNS/Kerberos after DC OS upgrade

Hi again,

Had to remove log as email was to big (more than 128K) and rejected

Nicolas

-------- Message transf?r? --------
Sujet?: 	Re: No DNS/Kerberos after DC OS upgrade
Date?: 	Sun, 30 Mar 2025 16:00:57 +1100
De?: 	Nicolas Canonne <me at electronico.nc>
Pour?: 	samba at lists.samba.org



Hi again,

More infos :

DC1
> sudo systemctl status samba-ad-dc.service
-> at end
> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.528964,? 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:03 dc1 winbindd[876]: /usr/sbin/samba-gpupdate:???? 
> cldap_ret = net.finddc(domain=lp.get('realm'), 
> flags=(nbt.NBT_SERVER_LDAP |
> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.529100,? 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:03 dc1 winbindd[876]: /usr/sbin/samba-gpupdate: 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.529161,? 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:03 dc1 winbindd[876]:?? /usr/sbin/samba-gpupdate: 
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.858605,? 0] 
> source3/winbindd/winbindd_gpupdate.c:182(gpupdate_cmd_done)
> mars 30 15:54:03 dc1 winbindd[876]:?? gpupdate_cmd_done: gpupdate 
> failed with exit status 1
> mars 30 15:54:08 dc1 samba[894]: [2025/03/30 15:54:08.762553, 0] 
> source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> mars 30 15:54:08 dc1 samba[894]:?? dnsupdate_nameupdate_done: Failed 
> DNS update with exit code 110

DC2
> sudo systemctl status samba-ad-dc.service
-> at end
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.032763,? 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:?? /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.057604, 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:?? /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.083504, 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:?? /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.112796, 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:?? /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.190527, 0] 
> source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> mars 30 15:54:40 dc2 samba[1014]:?? dnsupdate_nameupdate_done: Failed 
> DNS update with exit code 27

We are all down ... Thanks in advance for any help

Nicolas Canonne

Electronico
NEW-CALEDONIA (South Pacific)

Le 30/03/2025 ? 14:44, Nicolas Canonne a ?crit?:
> Hi all,
>
>
> It was a well running Domain, with 2 DC, 1 File Server and around 20 
> Windows clients until I started DC OS upgrades
>
>
> The 2 DC have been upgraded from Ubuntu20 with samba 4.15.13 to 
> Ubuntu22, so they are now running samba 4.19.5
>
> (internal DNS used)
>
> DC1 was the Primary DC, DC2 was added later and sysvolsync configured 
> with TranquilIT script 
>
(https://samba.tranquil.it/doc/fr/samba_advanced_methods/samba_tis_sysvolsync.html)
>
> OS Upgrade as been started by DC2 (no error), then DC1
>
> During the upgrade process an DC1, I've been asked for DNS servers so 
> I entered :
>
> DC1 DC2
>
> Then for the Kerberos server, I entered :
>
> DC1
>
>
> Now no client can connect to AD, windows clients nor linux (File Server)
>
>
> Thanks in advance if you could help, as I have tried all I could think 
> to without any result ...
>
> Nicolas Canonne
>
>
> FS1
>
>> host -t A dc1.smb.rdk.nc
>> ;; communications error to 10.10.20.3#53: connection refused
>> ;; communications error to 10.10.20.3#53: connection refused
>> ;; no servers could be reached
>
>
> FS1
>
>> host -t A dc2.smb.rdk.nc
>> ;; communications error to 10.10.20.3#53: connection refused
>> ;; communications error to 10.10.20.3#53: timed out
>> ;; no servers could be reached
>
>
> DC1 /etc/samba/smb.conf
>
>> # Global parameters
>> [global]
>> ??? dns forwarder = 8.8.8.8
>> ??? netbios name = DC1
>> ??? realm = SMB.RDK.NC
>> ??? server role = active directory domain controller
>> ??? workgroup = SMB
>> ??? idmap_ldb:use rfc2307 = yes
>> ??? apply group policies = yes
>> ??? #tls enabled = yes
>> ??? #tls keyfile = tls/key.pem
>> ??? #tls certfile = tls/cert.pem
>> ??? #tls cafile >> ??? #tls priority = NORMAL
>> [sysvol]
>> ??? path = /var/lib/samba/sysvol
>> ??? read only = No
>>
>> [netlogon]
>> ??? path = /var/lib/samba/sysvol/smb.rdk.nc/scripts
>> ??? read only = No
>
> DC2 /etc/samba/smb.conf
>
>> # Global parameters
>> [global]
>> ??? netbios name = DC2
>> ??? realm = SMB.RDK.NC
>> ??? server role = active directory domain controller
>> ??? workgroup = SMB
>> ??? idmap_ldb:use rfc2307? = yes
>>
>> [sysvol]
>> ??? path = /var/lib/samba/sysvol
>> ??? read only = No
>>
>> [netlogon]
>> ??? path = /var/lib/samba/sysvol/smb.rdk.nc/scripts
>> ??? read only = No
>
> FS1 /etc/samba/smb.conf
>
>> [global]
>> ??? security = ADS
>> ??? workgroup = SMB
>> ??? realm = SMB.RDK.NC
>>
>> ??? log file = /var/log/samba/%m.log
>> ??? log level = 1
>>
>> ??? # Default ID mapping configuration using the autorid
>> ??? # idmap backend. This will work out of the box for simple setups
>> ??? # as well as complex setups with trusted domains.
>> ??? idmap config * : backend = autorid
>> ??? idmap config * : range = 10000-9999999
>> ??? min domain uid = 0
>> ??? vfs objects = acl_xattr
>> ??? map acl inherit = yes
>> ??? # the next line is only required on Samba versions less than 4.9.0
>> ??? # store dos attributes = yes
>>
>> ??? bind interfaces only = yes
>> ??? interfaces = lo br0
>>
>> ??? winbind enum users = yes
>> ??? winbind enum groups = yes
>>
>> ??? # prohibits SMB\Administrator to be mapped as root on Member Server
>> ??? username map = /etc/samba/user.map
>> ??? # /etc/samba/user.map >> ??? # !root = SMB\Administrator
>> ??? #
>>
>> ??? # CUPS
>> ??? #printing = CUPS
>> ??? #spoolss: architecture = Windows x64
>> ??? #load printers = yes
>>
>> [Profiles]
>> ??? path = /media/data/Profiles/
>> ??? read only = no
>> ??? #browseable = No
>> ??? read only = No
>> ??? csc policy = disable
>>
>>
>> [home]
>> #??????? commment = dossiers utilisateurs
>> ??????? path = /media/data/home
>> ??????? read only = No
>>
>> [journal]
>> #??????? comment = journal
>> ??????? path = /media/data/journal
>> ??????? read only = No
>> ??????? vfs objects = recycle
>> recycle:directory_mode = 0770
>> recycle:subdir_mode = 0700
>> recycle:versions = Yes
>> recycle:keeptree = Yes
>> recycle:touch = Yes
>> recycle:repository = .recycle
>
>
>

On Sun, 30 Mar 2025 17:35:12 +1100
Nicolas Canonne via samba <samba at lists.samba.org> wrote:
> Hi again,
> 
> Had to remove log as email was to big (more than 128K) and rejected
> 
> Nicolas
> 
> -------- Message transf?r? --------
> Sujet?: 	Re: No DNS/Kerberos after DC OS upgrade
> Date?: 	Sun, 30 Mar 2025 16:00:57 +1100
> De?: 	Nicolas Canonne <me at electronico.nc>
> Pour?: 	samba at lists.samba.org
> 
> 
> 
>
You say that you have upgraded DC1 from 4.15.13 to 4.19.5, but from
your logs there is this:

[2025/03/30 10:05:52.445395,? 0] ../../source3/smbd/server.c:1734(main)
 smbd version 4.15.13-Ubuntu started.

That (along with other things in the logs) suggests to me that the
upgrade hasn't worked, how did you upgrade ?

Rowland